RG1.171 核电厂安全系统中使用的数字计算机软件的软件单元测试 1997_图文

1、U.S. NUCLEAR REGULATORY COMMISSIONSeptember 1997REGULATORY GUI DEOFFICE OF NUCLEAR REGULATORY RESEARCH(Draft was DG-1057SOFTWARE UNIT TESTING FOR DIGITAL COMPUTER SOFTWARE USED IN SAFETY SYSTEMS OF NUCLEAR POWER PLANTSA. INTRODUCTIONIn 10 CFR Part 50, "Domestic Licensing of Pro duction and Util

2、ization Facilities," paragraph 55a(a(1 requires, in part, 1 that systems and components be de signed, tested, and inspected to quality standards comrequirement is contained in 10 CFR 50.55a(h, which requires that reactor protection systems satisfy the cri teria of IEEE Std 279-1971, "Crite

3、ria for Protection2Systems for Nuclear Power Generating Stations." Paragraph 4.3 of IEEE Std 279-19713 states that quali ty of components is to be achieved through the specifi cation of requirements known to promote high quality, such as requirements for design, inspection, and test. Many of th

4、e criteria in Appendix B to 10 CFR Part 50 contain requirements closely related to testing activities. Criterion I, "Organization," requires the es tablishment and execution of a quality assurance pro gram. Criterion H, "Quality Assurance Program," re quires, in part, that the pr

5、ogram take into account the need for special controls, processes, test equipment, tools, and skills to attain the required quality, as well as the need for verification of quality by inspection and test. Criterion III, "Design Control," requires, in part, that measures be established for v

6、erifying and checking the adequacy of design, such as by the performance of a2Plants," to 10 CFR Part 50 requires, in part, 1 that a qual ity assurance program be established and implemented in order to provide adequate assurance that systems and components important to safety will satisfactori

7、ly per form their safety functions. Appendix B, "Quality As surance Criteria for Nuclear Power Plants and Fuel Re processing Plants," to 10 CFR Part 50 describes criteria that a quality assurance program for systems and components that prevent or mitigate the consequences of postulated acc

8、idents must meet. In particular, besides the systems and components that directly prevent or mitigate the consequences of postulated accidents, the criteria of Appendix B also apply to all activities affect ing the safety-related functions of such systems and components as designing, purchasing, ins

9、talling, test ing, operating, maintaining, or modifying. A specificl1n this regulatory guide, many of t he regulations have been paraphrased; see 10 CFR Part 50 for the full text.mensurate with the safety function to be performed. Criterion 1, "Quality Standards and Records," of Ap pendix

10、A, "General Design Criteria for Nuclear Power7.Revision I of Regulatory Guide 1.153, "Criteria for Safety Systems," en dorses IEEE Std 603-1991,"Criteria for S afety Systems for Nuclear Power Generating Stations," as a method acceptable to the NRC staff for satis fying the N

11、RC's regulations with respect to the design, reliability, qualifi cation, and testability of t he power, instrumentation, and control portions of the safety systems of nuclear power plants.IEEE publications may be obtained from the IEEE Service Center, 445 Hoes Lane, Piscataway, NJ 08854.3USNRCR

12、EGULATORYGUIDESThe guides we Issued in the following ten broad divisions:Reglatory Guides are Issued to descibe and make avlable tothe public such Informslion as methods acceptable to the NRC staf for Implementing specific pans of the Com- mission's regulations, techniques usedbythestaff inevalu

13、ating specific problems orpos- tulated accdentsa and data needed by the NRC staff In Its review of ap:icationrs forper- mits and licensea. Regulatory guides are not sstitutes for regulations, and compiance with them Is not required. Methods and solutions different from those set out in theguides wil

14、l be acceptable If t hey provide a basis for the findings requisite to the Issuance or conlinuance of a permit or license by the Commission.This guide was lesu after consideration of comments received from thre public. Com- ments andsuggestions for inprovements Inthese guides wencosurged at all Imes

15、, and gue will be revised, as appropriate, to accommodate comments and to reflect new in = on or aperience.2Z Research and Test Reactors1. Power Reactors 6. Products3& F uels and Materials Facilities4. Environmental and Siting 5. Matrials and Plant Protection 8. Occupations! Health9. Antitust an

16、d Financial Review 10. General7. TransportationSingle copies of regulatory guides may be obtained free of chrge bywrlfing te Printing. Graphics anid Distribution Branch. Office of Administrtion, U.S. Nuclear Regulatory Com mission, Washington, DC 2055-0001; or by fox at (301415-5272Whitten comments

17、may be submitted to te Rules Review and Directives Branch, DFIPS,ADM, U.S. Nuclear Regulatory Commission, Washington, DC 2055-0001.Issued guides may also bepurchased! from me* N ational Technical Information Service on a standing order basis. Details on this service may be obtained by w riting NTIS,

18、 5285 PortRoyal Road, Springfield, VA 22161.suitable testing program, and that design control ty assurance processes, and if those systems include measures be applied to items such as the delineation of software, the requirements extend to the software ele acceptance criteria for inspections and tes

19、ts. Criterion ments.V, "Instructions, Procedures, and Drawings," requires In general, information provided by regulatory activities affecting quality to be prescribed by docu guides is reflected in the Standard Review Plan mented instructions, procedures, or drawings of a type (NUREG-0800.

20、 The Office of Nuclear Reactor Regu appropriate to the circumstances and that these activi lation uses the Standard Review Plan to review applica ties be accomplished in accordance with these instruc tions to construct and operate nuclear power plants. tions, procedures, or drawings. Criterion V fur

21、ther re This regulatory guide will apply to the revised Chapter quires that instructions, procedures, and drawings 7 of that document.include appropriate quantitative or qualitative accep tance criteria for determining that important activities The information collections contained in this regu have

22、 been satisfactorily accomplished. Criterion XI, latory guide are covered by the requirements of 10 CFR "Test Control," requires establishment of a test pro Part 50, which were approved by the Office of Manage gram to ensure that all testing required to demonstrate ment and Budget, approva

23、l number 3150-0011. The that structures, systems, and components will perform NRC may not conduct or sponsor, and a person is not satisfactorily in service is identified and performed in required to respond to, a collection of information un accordance with written test procedures that incorpoless i

24、t displays a currently valid OMB control number.rate the requirements and acceptance limits contained B. DISCUSSIONin applicable design documents. Test procedures must include provisions for ensuring that all prerequisites for The use of industry consensus standards is part of the given test have be

25、en met, that adequate test instru an overall approach to meeting the requirements of mentation is available and used, and that the test is per 10 CFR Part 50 when developing safety systems for formed under suitable environmental conditions. Crite nuclear power plants. Compliance with standards does

26、rion XI also requires that test results be documented and not guarantee that regulatory requirements will be met. evaluated to assure that test requirements have been sat However, compliance does ensure that practices isfied. Finally, Criteria VI, "Document Control," and accepted within va

27、rious technical communities will be XVII, "Quality Assurance Records," provide for the incorporated into the development and quality assur control of the issuance of documents, including ance processes used to design safety systems. These changes thereto, that prescribe all activities affe

28、cting practices are based on past experience and represent in quality and provide for the maintenance of sufficient dustry consensus on approaches used for development records to furnish evidence of activities affecting qualiof such systems.ty. The latter requires test records to identify the inspec

29、 Software incorporated into instrumentation and tor or data recorder, the type of observation, the results, control systems covered by Appendix B will be referred the acceptability of the results, and the action taken in to in this regulatory guide as safety system software. connection with any defi

30、ciencies noted.For safety system software, software testing is an im This regulatory guide endorses ANSI/IEEE Std portant part of the effort to achieve compliance with the 1008-1987, "IEEE Standard for Software Unit Test NRC's requirements. Software engineering practices ing," 3 with t

31、he exceptions stated in the Regulatory rely, in part, on software testing to meet general quality Position. IEEE Std 1008-1987 describes a method ac and reliability requirements consistent with Criteria 1 ceptable to the NRC staff for complying with parts of and 21 of A ppendix A to 10 CFR Part 50,

32、as well as Cri the NRC's regulations for promoting high functional teria I, II, III, V, VI, XI, and XVII of Appendix B.reliability and design quality in software used in safety The consensus standard, IEEE Std 1008-1987 systems. 4 In particular, the method is consistent with (reaffirmed in 1993,

33、 defines a method for planning, the previously cited General Design Criteria and the preparing for, conducting, and evaluating software unit criteria for quality assurance programs of Appendix B testing. The method described is consistent with the as they apply to software unit testing. The criteria

34、 of previously cited regulatory requirements as they apply Appendices A and B apply to systems and related qualito safety system software.Current practice for the development of software 4The term "safety systems" is synonymous with "safety-related systems." for high-integrity ap

35、plications includes the use of a The General Design Criteria cover systems, structures, and components software life cycle process that incorporates software "important to safety." The scope of t his regulatory guide is, however, lim ited to "safety systems," which are a subset o

36、f "systems important totesting activities, e.g., IEEE Std 1074-1991, "IEEE safety.Standard for Developing Software Life Cycle,Processes." 3 Software testing, including software unit testing, is a key element in software plied to the unit testing of safety system software, the validati

37、on verification activities, and as indicated by IEEE following exceptions are necessary and will be consid 1012-1986, Std "IEEE Standard for Software Verification ered by the NRC staff in the review of submittals from and Validation Plans," 3 and IEEE Std licensees 7-4.3.2-1993, and applic

38、ants. (In t his section, the cited crite "Standard Criteria for Digital ria are Computers in Appendix in Safety B to 10 CFR Part 50 unless other tems of Sys Nuclear Power Generating wise noted.Stations." A com mon approach to software testing NUREG/CR-6101, 1. SOFTWARE TESTING DOCUMENTATIO

39、N "Software Reliability and Safety in Nuclear Protection Reactor Systems" (November 1993; NUREG/ Criterion XI, "Test Control," requires that a test CR-6263, "High Integrity Software for Nuclear Power program be established to ensure that all testing re Plants: Candidate Guid

40、elines, Technical Basis and Re quired to demonstrate that systems and components search Needs" (June 19955 utilizes will perform satisfactorily in service is identified and program a three-level to help test ensure quality performed in accordance with written test procedures product in or a com

41、plex complex software set of cooperating software prod that incorporate requirements and acceptance limits ucts, i.e., unit-level testing, integration-level contained in applicable design documents. Criterion and testing, system-level testing such as system validation "Organization," I, Cr

42、iterion II, "Quality Assurance Pro or acceptance tests tests. IEEE Std 1008-1987 delineates an gram," Criterion III, "Design Control," Criterion V, approach to the unit testing of software that is "Instructions, Procedures, and Drawings," Criterion the based assumption

43、on of a larger context established by verifi VI, "Document Control," and Criterion XVIi, "Quality cation and validation (V&V planning Assurance Records," contain requirements bearing on general planning as well as for the full range of testing activities information associate

44、d with testing. IEEE Std to be applied. Therefore, software unit testing per 1008-1987, in section 1.1, mandates the use of the Test formed in accordance with IEEE Std 1008-1987 Design Specification and the Test Summary Report de should be consistent with planning information fined by ANSI/IEEE Std

45、829-1983, "IEEE Standard lished estab in V&V plans and higher-level for Software Test Documentation." In addition, IEEE plans, although software that planning test information is not within Std 1008-1987 either incorporates additional informa the scope of IEEE Std 1008-1987.tion into t

46、hese two documents or indicates the need for additional documents. Regardless of whether these two C. REGULATORY POSITIONdocumentation formats are used, the documentation The requirements in ANSI/IEEE Std 1008-1987, used to support software unit testing (either documen "IEEE Standard for Softwa

47、re Unit Testing," provide an tation used directly in the software unit testing activity approach or documentation of the overall testing effort must in requirements acceptable of 10 CFR to the Part NRC 50 as staff they apply to for meeting the unit the clude information necessary to meet regula

48、tory testing of safety system software, subject to the provi quirements re as applied to software test documentation. sions listed below. The appendices to IEEE As a minimum, this information includes:1008-1987 Std are not endorsed by this "* Qualifications, duties, responsibilities, and skills

49、except regulatory as noted guide below. Appendix A to this standard pro required of persons and organizations assigned to vides guidance regarding the implementation of the testing activities,software unit testing approach, and Appendix B to the standard provides context regarding " Environment

50、al software conditions and special controls,ing engineer information and testing assumptions that underlie equipment, tools, and instrumentation needed for the software unit testing approach.the accomplishment of testing,To meet the requirements of 10 CFR 50.55a(h " Test instructions and proced

51、ures incorporating theAppendix and A to 10 CFR Part 50 as assured by complying requirements and acceptance limits in applicable with the criteria of Appendix B to 10 CFR Part 50 apdesign documents," Test prerequisites and the criteria for meeting5Copies Office, are available at current them,(20

52、2512-2249; P.O. Box "* Test items and the approach taken by the testingIwriting NTIS at 5285 or 37082, from Port the Washington, rates from the Royal National Road, Technical DC U.S. 20402-9328 Government Printing Springfield, Information (telephone VA 22161. Service by available Copies for ins

53、pection are program,or copying for a fee from the NRC Public Docu dress ment Room at 2120 LStreet NW., Washington, DC; the PDR's mailing ad " Test logs, test data, and test results, (202634-3273; is Mail Stop fax LL-6, (202634-3343.Washington, DC 20555-0001; telephone "* Acceptance cri

54、teria,Test records indicating the identity of the tester, the type of observation, the results and acceptability, and the action taken in connection with any deficiencies.Any of the above information items that are not present in the documentation selected to support soft ware unit testing must be i

55、ncorporated as additional items.2. TEST PROGRAMCriterion XI, "Test Control," requires establish ment of a test program to ensure that all testing required to demonstrate that structures, systems, and compo nents will perform satisfactorily in service is identified and performed in accordan

56、ce with written test proce dures that incorporate the requirements and acceptance limits contained in applicable design documents. The two aspects of test coverage that are particularly important for the unit testing of safety system software are3. TEST PROGRAM RECORDSCriteria VI, "Document Con

57、trol," and XVII, "Quality Assurance Records," as well as 10 CFR 21.51, require the control and retention of documents and records affecting quality. In addition, Criterion III, "Design Control," requires that design changes be sub ject to design control measures commensurate

58、 with those applied to the original design. Preservation of testing products is discussed in section 3.8.2(4 of IEEE Std 1008-1987. Since design control measures must be applied to acceptance criteria for tests and since some software testing materials are frequently re-used and evolve during the co

59、urse of software development and software maintenance (for example, regression test materials, such materials should be configuration items under change control of a software configuration management system. 9 Additional information on this topic is provided in section A6 of Appendix A to IEEE Std 1

60、008-1987.4. INDEPENDENCE IN SOFFWAREVERIFICATIONCriterion III, "Design Control," imposes an inde pendence requirement for the verification and checking of the adequacy of the design, requiring that those per sons who verify and check be different from those who accomplish the design. Therefore, independence is an additional requirement for software unit testing. Either those persons who establish the requirements-based elements for a software unit test must be different from those who designed or coded the software, or there must be in